Security researchers have slammed Apple for failing to fix a flaw in its sandboxing system, despite pushing developers to use it for all apps.
The outburst comes after CoreLabs found flaws in the sandbox system that Apple plans to make compulsory for developers creating Mac apps. Sandboxing keeps apps from accessing key parts of the OS in order to mitigate damage from malware.
The security company said it explained the vulnerabilities to Apple but the Mac maker ignored its September alert, prompting CoreLabs to go public with the warning before Apple had fixed the issue.
“This advisory is in the category 'user release', which is a rare thing for us to do - it means despite our best efforts the vendor chose not to patch the code we identified as vulnerable,” said Alex Horan, senior product manager for CoreLabs, in a blog post.
“Because this is a vulnerability within Apple OS X we made a well-thought decision to share information in order to educate users on how to protect themselves from harm.”
According to CoreLabs, the original report to Apple highlighted a problem whereby applications that should not be allowed network access could circumvent the sandbox system, but Apple had yet to make changes or notify users about the issue.
“Several of the default pre-defined sandbox profiles don’t properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality,” CoreLabs said.
“A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox.”
Having alerted the company, CoreLabs expected some sort of action, but claims Apple ignored the warning.
Read more
